Skip to content

Fix security vulnerabilities (CVEs) 12-01-26 #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
nickwinder wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix security vulnerabilities (CVEs) 12-01-26 #6

nickwinder wants to merge 1 commit into from

Conversation

@nickwinder
Copy link
Collaborator

@nickwinder nickwinder commented Jan 12, 2026

Why

Security audit identified 17 CVEs (1 critical, 8 high, 3 moderate, 5 low) across the dependency tree. Rather than using pnpm overrides, all vulnerabilities were resolved by updating direct dependencies to their latest versions.

Summary

  • Update @modelcontextprotocol/sdk to ^1.25.2 (fixes DNS rebinding and ReDoS vulnerabilities)
  • Upgrade express from v4 to v5.2.1 (resolves qs and body-parser DoS issues)
  • Update axios to ^1.13.2 (fixes SSRF vulnerability)
  • Update multer to ^2.0.2 (fixes DoS via malformed request)
  • Update supertest to ^7.2.2 (brings in fixed form-data and qs)
  • Upgrade langchain ecosystem to 1.x (resolves ws, shell-quote, json5, openai CVEs)
  • Update eslint to ^9.39.2 and typescript-eslint to ^8.52.0 (fixes plugin-kit, js-yaml, brace-expansion)
  • Update vitest to ^4.0.16 (resolves vite vulnerabilities)

Code Changes for Compatibility

  • src/utils/Logger.ts: Updated MCPLogLevel type definition for MCP SDK 1.25.2 API changes
  • src/dashboard/routes.ts: Handle Express 5.x route param type (string | string[])
  • Test files: Updated mocking patterns for Vitest 4.x compatibility

Verification

  • pnpm audit reports 0 vulnerabilities
  • All unit tests pass
  • Build completes successfully
  • Linting passes

@nickwinder @claude
Fix 17 CVEs by updating dependencies to latest versions
a627afc 
Update all vulnerable dependencies without requiring pnpm overrides:
- @modelcontextprotocol/sdk: ^1.13.3 → ^1.25.2 (DNS rebinding, ReDoS)
- express: ^4.21.2 → ^5.2.1 (qs DoS, body-parser DoS)
- axios: ^1.10.0 → ^1.13.2 (SSRF)
- multer: ^2.0.1 → ^2.0.2 (DoS)
- supertest: ^7.1.1 → ^7.2.2 (form-data, qs)
- langchain ecosystem: 0.3.x → 1.x (ws, shell-quote, json5, openai)
- eslint: ^9.30.1 → ^9.39.2 (plugin-kit, js-yaml)
- typescript-eslint: ^8.35.1 → ^8.52.0 (brace-expansion)
- vitest: ^3.2.4 → ^4.0.16 (vite vulnerabilities)

Code changes for compatibility:
- Logger.ts: Update MCPLogLevel type for MCP SDK 1.25.2
- routes.ts: Handle Express 5.x route param types
- Tests: Update mocking patterns for Vitest 4.x

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@nickwinder nickwinder self-assigned this Jan 12, 2026
@nickwinder nickwinder marked this pull request as ready for review January 12, 2026 09:22
@nickwinder nickwinder changed the title Fix 17 security vulnerabilities (CVEs) Fix security vulnerabilities (CVEs) 12-01-26 Jan 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HungKNguyen HungKNguyen Awaiting requested review from HungKNguyen

At least 1 approving review is required to merge this pull request.

Assignees

@nickwinder nickwinder

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nickwinder